Analysis
-
max time kernel
796s -
max time network
1789s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
22-07-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
Mercurial.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Mercurial.exe
Resource
win10v2004-20230703-en
General
-
Target
Mercurial.exe
-
Size
3.2MB
-
MD5
a9477b3e21018b96fc5d2264d4016e65
-
SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7
-
SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645
-
SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c
-
SSDEEP
98304:5kjozJ9/im8XVBKl6t1buVfRhq+5tXzgCa/T:lzJpjS346t1bIfuq07
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1122239507517931591/t8OIvSAy-gUrhwHF19g2icC0QVzPLTYshtzEpijTbb7noKr_jWj3tRMdREfJ_ScponP8
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
nikario.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions nikario.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
nikario.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools nikario.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
nikario.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nikario.exe -
Executes dropped EXE 1 IoCs
Processes:
nikario.exepid process 2380 nikario.exe -
Obfuscated with Agile.Net obfuscator 13 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2284-57-0x00000000004B0000-0x00000000004CC000-memory.dmp agile_net behavioral1/memory/2284-58-0x0000000000530000-0x0000000000550000-memory.dmp agile_net behavioral1/memory/2284-59-0x0000000000560000-0x0000000000580000-memory.dmp agile_net behavioral1/memory/2284-60-0x0000000000950000-0x0000000000960000-memory.dmp agile_net behavioral1/memory/2284-61-0x00000000009F0000-0x0000000000A04000-memory.dmp agile_net behavioral1/memory/2284-62-0x0000000000CA0000-0x0000000000D0E000-memory.dmp agile_net behavioral1/memory/2284-63-0x0000000000B20000-0x0000000000B3E000-memory.dmp agile_net behavioral1/memory/2284-64-0x0000000002480000-0x00000000024B6000-memory.dmp agile_net behavioral1/memory/2284-65-0x0000000000D10000-0x0000000000D1E000-memory.dmp agile_net behavioral1/memory/2284-66-0x0000000000D20000-0x0000000000D2E000-memory.dmp agile_net behavioral1/memory/2284-67-0x0000000005310000-0x000000000545A000-memory.dmp agile_net behavioral1/memory/2284-70-0x0000000000C60000-0x0000000000CA0000-memory.dmp agile_net behavioral1/memory/2284-76-0x000000000B990000-0x000000000BA90000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 107 ip4.seeip.org 110 ip4.seeip.org 111 ip-api.com 106 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
nikario.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 nikario.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum nikario.exe -
Drops file in Windows directory 2 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe chrome.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe chrome.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2892 2380 WerFault.exe nikario.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
nikario.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S nikario.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
nikario.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer nikario.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName nikario.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 nikario.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation nikario.exe -
Modifies registry class 64 IoCs
Processes:
chrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\MRUListEx = ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\MRUListEx = ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\NodeSlot = "6" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000078000000 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7400310000000000ec5635601100557365727300600008000400efbeee3a851aec5635602a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 5200310000000000ec563560122041707044617461003c0008000400efbeec563560ec5635602a000000ed0100000000020000000000000000000000000000004100700070004400610074006100000016000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 = 4c00310000000000f6561d8110204c6f63616c00380008000400efbeec563560f6561d812a000000000200000000020000000000000000000000000000004c006f00630061006c00000014000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 chrome.exe Key created \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\NodeSlot = "5" chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2552 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Mercurial.exechrome.exepid process 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2284 Mercurial.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
chrome.exepid process 2652 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Mercurial.exechrome.exedescription pid process Token: SeDebugPrivilege 2284 Mercurial.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe Token: SeShutdownPrivilege 2700 chrome.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
chrome.exepid process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe 2700 chrome.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
chrome.exepid process 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe 2652 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2700 wrote to memory of 2916 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 2916 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 2916 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1076 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1656 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1656 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1656 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe PID 2700 wrote to memory of 1096 2700 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j24kc3sf\j24kc3sf.cmdline"2⤵PID:2616
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B77.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE7B876DF102F47AFBE218D1DFA9965B3.TMP"3⤵PID:1996
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c79758,0x7fef6c79768,0x7fef6c797782⤵PID:2916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1480 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:22⤵PID:1076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2276 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:1628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1420 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:22⤵PID:1700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3176 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:2636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3200 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2716 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2544 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:2176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2824 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=696 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:2620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3772 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:1532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2820 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2832 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1424
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\httpsdiscord.comapiwebhooks11222395.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3828 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4108 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:12⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3796 --field-trial-handle=1356,i,13816367547384598155,12420097749147974427,131072 /prefetch:82⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2632
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1300
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4801⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\nikario.exe"C:\Users\Admin\AppData\Local\Temp\nikario.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:2380 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2380 -s 17682⤵
- Program crash
PID:2892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5f77e1f1e685bb02ae80a05b27734597d
SHA18325f0e069cb033e2d17bee842fda9d9d26b4ecb
SHA256f6c15b2f9c3611d64fb22e191cd05327de2ffa16097f309db5fab46e9b20ca34
SHA512c43d877d9b5b36c1104cca97dc4a73fee7a94733cdcc74f882699b6da0eb267fb7e19baf6b64fae4536efa20df608ef24260b423316b9b4c3f704127cac75164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD57b9371d3abc35676487341af4d43d893
SHA1eec1f194a0fb29843b7fb00544ccf9b8a206df83
SHA25635d00e55bfce51702cb8244814c1a5054f87696354b771584f4f0407f59ddc77
SHA512685a487185c2e07a12f86daecfa7e00952c48b3f05812791dd6bed58382f092ba90a5104ecf56a225eddd290ffcb9f01ba705201d4620006e12a8dfde9ad0dc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5ce0c38ed68f4d64323fd88601ea66477
SHA14cbdc78dcf29db0216c4c1bcccacfca52f948425
SHA2564500cc81c3ee3f9b726179642a0372c829ee37439c1e741c485d600e80f9126d
SHA512eb9da110d8a2d72ae7c6b6f1e90d98e0b36b48ae60f52698f875f4f047f097f7bbf5c5412fb335c7758932de1885eaa05aa0f329b5e6a21657d0bca57b47f642
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5a64981ea6043c42f9a7b7a4bc3579214
SHA1f9a40c0cd5f299b9214826a821b2a048c572e654
SHA25632860cbde05359401d1dbcbd9091fb6dc5cbd0bb6964ddb3005eb1a79b30f8f3
SHA5124b806647e8633e55c773ba8c6ae415f198c7c5eecee7d74fedba1d27aee977d4d6ff8d04a1908542c43d0b4da93a746c58d7cecf0c80547bde68b898abe3f083
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD595ecb88569eb462af31220213cfd7fa7
SHA15fb677aa7c16ecf06f5c78fbb068bb81fa4e4603
SHA256464606aacc04520d8181aaf6ef26916a6b30daa66ca7d3f3cd162ae0fe3c78fe
SHA512601e2b05cb54b85e3107315771003bd1ab4e0a0e435528ba0906a3fab769747f8d12baeeda11fa60177f010c6955e1ed48e0567b7cf234cf16a1f87ef45bee24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5d543e5e39540bd658b18add48d3e0ab9
SHA111230cf9fa9eb8a8b432a1dc88dd81acffe57a16
SHA256869b9ba21299c62f22f291def783fcd8fef85277698fc6957d8e78a172320da0
SHA51260143cf186f07ca7a17c7e22c4db0371614ec16e5cf52e67730c424bf5caa8be222f2cb37bba21a413b52b89e7409b5580d88cb16b7043233b2b418105e7b9a7
-
Filesize
240B
MD52399ac9aa6e4bc5be21a0ae1adebd2b0
SHA111fa67a208b20bbaabdc9a675e1d0445b22ed7d5
SHA25619e4ffae48614a849268c56ce585a3930a384b713c17f5c93bbd40ac1a5de4c3
SHA512addb92f93fb82296b2c50816a17bb3c4b857b4ee2539f080eca4563fa2265fed9bd314b28ca4fd711aee92937d04613d75e7c74b4847ef5d9425e6dfc16faaff
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_anonfiles.com_0.indexeddb.leveldb\CURRENT~RFf7d8391.TMP
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
3KB
MD5aed6663a63ae10659b2fdf8349bc0673
SHA102abd563753f39172fd1fed095e439165ec2abb8
SHA256be8bfc57eee642906f785b858520e053bc803c7ec4404067ea04ce492d71ed5f
SHA512799027f57466a147e9e7fe553f82147b84e476fac1986864585502cfd3e2706c52a4ec8e4b8333af29b73196be1ad781d242a8ad560b36ba99537097a4e9298f
-
Filesize
1KB
MD5df234ec65483d59898c0a790038e95f8
SHA186ec793f746eb4a1f7211e2bc92e6202ab4927ee
SHA2567f7eb2ffe9159003a562d96888fd3dcd80af6d66cc8dbdbdb569bbeb3dff674e
SHA512a9ee1159b16d4db0bc5c8e98d8dd36ee7ee08d9795dfc9c9edbbf700006827c7026f2d40ee1287d3111af1793c6f8b25bdc9bd0b0a08193ddd5277f4567e530f
-
Filesize
525B
MD5b96f3b947de4478ad612ca128017454f
SHA1e5b9261f1e097caa8df61ddc261b4a43215f1c19
SHA25673aaef17b358e3ec6fb24fc0bc82aad5f0495fa4b3e924ea482dcb55bbf0b68b
SHA51282b658a9ce4b2789c972447abe0bed8342adcab0d5b28a6ea5b86254cd18a989bd2f44b54a849c3e736dba8ee5f58fd35afe464704d9eecb27c8bdb43f24cc85
-
Filesize
689B
MD54e2f878c67a3985c218a6b7684b541b5
SHA1f6ed5d48795017497f5940c67bad44ae6818735e
SHA2567f872b354d2041e4842d9f8070e49c35d94047301aa0d9bf92df4aaa733f0262
SHA512eb8acb12ff5becf19153a8866107f065f974e3e26bc17a09330fdd760cfde385f83b180fba99791444cf41dab7ba9208d553b0e7d4d4453aaa53d482be091fef
-
Filesize
5KB
MD58851d6cb9d8013879224e96895987f8c
SHA12bf38cfacc38f4eeab3f39e8bc5cd55b7036499e
SHA256947fa593a3674068f5eec2f61bdbaab76cffcdb11eb5ec136549f82de47abfa1
SHA512c11e83c548f1de27a326d4bbe2722028fb91d618cd859d98e50e098748c13a9c2c7348425a8c4e94e7391c4cc524f602b778f1f90936a14e014d6bca17609c7d
-
Filesize
4KB
MD5d4fc2986398cb56a16dc70f6de290389
SHA192cab39ef2ce34a162588c2d84232f3d1fea682d
SHA25658574421dcd158f87b9f703f2ba30be36a646dd150069309e758f2cf526c6d6a
SHA512eb7bf9865d0240941a04e028cf758cfc2298a78c88b785a9d95b9a00aacfd43d28b1d0d80c367d4500d595eb3bc06257292511deaa582ec2fd4d5bfd58ca98f2
-
Filesize
4KB
MD5fc66db98539c79a6d2e49f3a278742de
SHA1e92fdbb384167202585823f64028f369b6328ed8
SHA256029aa4e30c11e8b81afe8e18f3d9d8e832801455f8168368950a5a8d74574ad9
SHA512417e7a27cb7acae60196b5fc1adee8842d6c729c019d61d63ca3ea60f84d0fe526c0dcf6bdc4672189d858930729e09660129b0a6ecfbda62837d37f6cb2da3f
-
Filesize
5KB
MD51276607cf0ce3ce3422264bbc5440cb8
SHA1d8c6679205f5b42573a24e0f416dc7b6d8d3454f
SHA25682c764c100f5bae792519cf642642c59fa6427b93088af18b14c6c6aac15689d
SHA512be3e2669905d738c2d64f9c6d804ab20ba34109aa86d26feb7289d02f03022851326df308f7d405e125cc27b6b64f70b764fc1b547603f04fb351addec66ba54
-
Filesize
4KB
MD58318903ae23cfde18dd4b569ad0af07f
SHA1a28dc91a27ea046e8fd27d46408ab6ddce2f3179
SHA256adf9c03fa3145fa17a016a7cab361d2160679e6710db98b70b841ec2832e660a
SHA512fb9277fba4c8cf5a7e7ffaa4c950e1661e455f09c98b737f1725b3b131bf587375319afe04a8008579c6c5fa56a0671b6c4bf0271330c0d03370dc1f298310e1
-
Filesize
5KB
MD51c16d7631d3ca6cfb30520bdeeba88b0
SHA1b987529372e8ee6abbe78b52b43f144e925f8b29
SHA256e09152944e19eceba0d92017af7c2e0f135702f4d8fd85a58ed83fb085a112dc
SHA5125cb5b49b7a5e3cc402377f87e162b752178ec3d699223e80a31801048fc361f66bad488c20754b4908f0bc611ae706bc4bf7b8ac39c838f9332125fcdaccf80e
-
Filesize
5KB
MD5bfa6ac825163eaee54acf04b58b53102
SHA1f7ec4cc6fc5aa956e45e4b9129cce50e57e946b5
SHA25612a1dba26f2ca4118a795fca145b48fbdb6f1051fd0e2bf26973abef62bb46f2
SHA51271c5b3449b7130fb327bb1d48de22f768b9a477a97ca754bf889276884354b6f5662d86ffc8a4cdb232ac780ce7ab13db3e30ba18be7db4506db483b93fb4dae
-
Filesize
5KB
MD5f07b8dc83b44855b139bacfa12502a4a
SHA177e7efb33cf224c717b937d5c80762da58b91e50
SHA2566157cb47d8fa2808e1d1caa4b2888da37cea6b76a2dd50ee736fcbd4d46ef894
SHA512f488b9c1293e28a70b743eec244b1f9303e7ea9e9cfd168eae1d6048d12c690da0cb3f8e46c60568d586fd5115ed8263e31e9c69e36e5031264b279c2a5da888
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD50082ee79a47a3e8e5e811cc8695dc6f6
SHA110eaacf2cd453af556fcbd6c0f35f32494d5f8b6
SHA256f42ab0ace7258907d3ed53d50c7f7806368f95256b47a33477538e3992ce2423
SHA512ddc31a4ff791ef29834bc49752423689d9ce54296141f7af8b4ad6227a178107ddce14b2b7f2814e39523db0a3dbbc73b4dd8b426e84a293c5b1b0933bffe45e
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
177KB
MD579163349a5ac8552bbfc8e5f8a78ca2b
SHA1f87c92927e1ea0f314b9b45843e481fda65fb592
SHA2567e32ed246d16cfbd174a1154f89829407e7773a4d6fe5909162efbb8d0366aa6
SHA512f7eed7f580c199e998cc9b19f9de88e8a4a266e28c0de90bbb3e040d4997d9e7447ef6a5089eae95bc8144d04f4474e10806550ecc25489d0300151a2a6aff79
-
Filesize
177KB
MD5d11fe5f272f6f3ffcc8a3e682989efe9
SHA1591e516e49108764d7cac789ff95a09ed1885c60
SHA256a28aede80deed1cc58b6e498c5b955c7fd64c5a1beef461270a4d1c257859834
SHA512a0e593c6768ddb42fb5075e3407eb0a9fbece229583f3c8b2405a9def972f2d169faa8349f6bf49e74dd09e8066fc2d3e0aee74b936bde17ad214eb1420d4cd7
-
Filesize
177KB
MD59ea1ecc7a3bf27caceb631ea37982259
SHA1af541495f951b6a174d5ea51bf5d3de13171bd12
SHA256121aedf55a8f0220721379e42d119c9bda92f94cc13389e52022ba8493c875a9
SHA5124c545b3c25e2b1c8562a7c11d28072d0f7b6ad23e0dd497cb14422d2859d5dc3fec5275730af5ed2a5ac3a97332af33b9f1dbc1d3ae5d11e64032ca00ad74d56
-
Filesize
177KB
MD5836e525bef3de20f673d6ba55e18e7eb
SHA189306404a893edc9d8fecbba9d2670aaaf641e85
SHA256755cd0273d0e124628cd8cf32be8e8575f2fc8cb3ccdae08d0241772b0e45643
SHA5129dbe009f1a1b30a31cda6899a1c1ee9c541a014997f33b769918e654aab88f6fe22c66c5ffe4d9d6d254c773cf9e5db5d01aab19b724c0425011b34d60661f9e
-
Filesize
177KB
MD5a408c18d14dd5047b3e9acb0e5279716
SHA12cb942a56132f701c8c8b99710f7eded73bf3988
SHA2568ff83b328bb760a855a0048fa7bd793b17ad0b2f350d355418ea9578b3141c83
SHA51298dadf44ebabf29c175a368f3c437c4773690f9468797f9190d62ad092b313c7ebff02279a439e27a41819153fde113c477529679bb2b1495eccfaefe963c880
-
Filesize
74KB
MD5f010709d06e7b82a201fc5d4bd42e96a
SHA1ba6e34e130575ed119947de330b6a86a747451b0
SHA2564b4a61b8bfbb11555313c146c98f7f513f7871533179b44f3dba8c280e197580
SHA5121a5e24db5d4ef7949c9b45772fce6d35f5013841ee66813ee5929157543493b6966743f38ff7f39d1e7ba505aa410827db48368ca08fdda80b99fb570a36c883
-
Filesize
39KB
MD5098b8ad729f8df417ee860f4051a3c45
SHA12008250c8472c105a0c388e6efee87be226110c5
SHA256eb355229a9ddd5ed76fc62f3a7156862d7798c21922f92b132cc096278d609e6
SHA512b18f50a4766c1d1a37a6563ee21f651d4b0807b5b93e0d773f9627bba8769b8c7d7cdba0aa0d19f54e5c2213c8c40a40493a122dd28f0a74e3a1bac0e8402552
-
Filesize
178KB
MD514f9100d58669a4edd9673445fe61f04
SHA103822ecf397b09796f5632be71cd086e069c7cf7
SHA256e077d3c4e32728b564b4fa6a5f519fbc1ebf6a3cd7a3fa3cc72d1b0ab200b89e
SHA51296d9083aec89bb222fa69ec78d3ee8600f5d7ea80f5ab5658c2970dc7b6c40fc8a3c50c8145adb9345da07d2c3523758ea5629caf8de053484f70059ab676c69
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
1KB
MD571e42bcb56d58cc6abb32b89e7de0d0b
SHA1753979247a4256d076f26cd925a0333c6eb80a5c
SHA25680f9ec766f65e8042a19da0bf0bcf6e2bf6ec115970b321d2aff1f339a1cf5fb
SHA51284e056670cecab3e169cfa2128ab60535c9481236db76b210034d2d2d4089433c7e28050c80c9dd534f2b9338aee446c525317934ff7f0377e038b09a08119c2
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
41KB
MD58e8049d9717c76375b250797c3b72693
SHA1776f7c1801af7acc38b251193334514a2a21dac1
SHA2560422d3cdf21719ea15d48ad333312351130fc9adaab9c92c10e638398232240f
SHA512e53bb520c704631b6a5d473ad9403e4d318a4c8ad5371d789559aeedcfed4d382be326c956d7d3b7424cecc2a74b8b45cb1248324e546275cc1de8b639d1a44c
-
Filesize
41KB
MD58e8049d9717c76375b250797c3b72693
SHA1776f7c1801af7acc38b251193334514a2a21dac1
SHA2560422d3cdf21719ea15d48ad333312351130fc9adaab9c92c10e638398232240f
SHA512e53bb520c704631b6a5d473ad9403e4d318a4c8ad5371d789559aeedcfed4d382be326c956d7d3b7424cecc2a74b8b45cb1248324e546275cc1de8b639d1a44c
-
Filesize
121B
MD579ff8992f531159e5d4d826ed5934e23
SHA103a01f82f921e9bfbbba63033b3f3f1628bb930f
SHA2562f98f355a04421813753e97556ecf07288a69858299b16f641a68ad8385d9120
SHA51295dc1a3c61a8ce789695c42919adf93896c7b95fccab14de1ed0f809914185d3e72e8c73adeb96ca34c49727be660901d89b30863a132057fb5a79fb0c714926
-
Filesize
1KB
MD5b66ab1f88f837f85783b9f534cafe8ad
SHA1f3c35548441395f4554629e7acb3120e8150d4b3
SHA256c08a50fabfdc0034efa1b7c62a551ada9068738d55fdc70683b2fb8f8b22fbd5
SHA512bd26a0143d2f91d6223e2af859e2d0e9f4012cd5724c903b60521f65c64703c2cad1cbf0c8c2572401e4d296bb196d8d9c22ed9e2de4812dcf9d15da855bc0b7
-
Filesize
11KB
MD5bfa89cacc659b9f1abd5cf12ae00551e
SHA1a9118217d885f20968db9b72a1d825443e092f0f
SHA256c5d1093c30f5f0a5dc88e197a4c538ce48e8e49506fec3909022997beb9747fb
SHA512efb6789c8eb3511b335848e1af6eae0e916f058334a54ceda496a03b2f5c628aa79e8daf187b754ee3fd8d83dda8b6912a04a2515dd0a3ad5882c3c14d135dea
-
Filesize
5KB
MD58aab1997664a604aca551b20202bfd14
SHA1279cf8f218069cbf4351518ad6df9a783ca34bc5
SHA256029f57fa483bbcee0dd5464e0d4d89bd03032161424d0ffd1da2b3d5db15977f
SHA512cf0efea853d7e1997dcfcc9a73668ed9a5ac01cf22cbb7082a05abc141fccc7c92a936b245666071df75389cd7ebe60dc99b3c21279173fe12888a99034a5eda
-
Filesize
7KB
MD56fdae9afc1f8e77e882f1ba6b5859a4e
SHA133eb96f75ffe9a1c4f94388e7465b997320265a5
SHA256a365264dd2d3388acc38b2f5c8f3c267bbf83ca463f70fbf6c8459123a7cc33d
SHA51297bb77e8c9c7a1a46fa416a917787ddced3439f72ea35558f22fa2450fbbd11928f3442baec0b33b14576683baa6c1c6b3e1376bd7742da358c808bf07db28e9
-
Filesize
8KB
MD56ba707982ee7e5f0ae55ce3fa5ccad17
SHA1d094c98491058ed49861ce82701abe1f38385f18
SHA25619af9bea270f830354af8250cd82db32fdcab6327d139e2720713fb7d43a5797
SHA512d9cf480c32bfb806c72a2dc6fe211c4806388ccf548d55b059e633e8f814d46c80ef73eacfb02398fd3b1e75b7c44b8a1ba0b29476edbf9fe1b29322798d3cfa
-
Filesize
2KB
MD5fae5458a5b3cee952e25d44d6eb9db85
SHA1060d40137e9cce9f40adbb3b3763d1f020601e42
SHA256240478bb9c522341906a0ef376e0188ce6106856a26a3ae0f7b58af07a377a06
SHA51225f406f747518aef3a1c5c3d66e8bd474429b05ef994303c5f7bc5d3669d691d9dc21ea8f8a35e20b84f8c406bf89835f2f5007a8f743df755e67b4c380fa236
-
Filesize
4KB
MD542f157ad8e79e06a142791d6e98e0365
SHA1a05e8946e04907af3f631a7de1537d7c1bb34443
SHA256e30402cd45589982489719678adf59b016674faa6f7a9af074601e978cc9a0ed
SHA512e214e1cd49e677e1ed632e86e4d1680b0d04a7a0086a273422c14c28485dc549cc5b4bde13e45336f0c4b842751dfd6ef702df3524bc6570c477a4f713db09dc
-
Filesize
6KB
MD58ec0f0e49ffe092345673ab4d9f45641
SHA1401bd9e2894e9098504f7cc8f8d52f86c3ebe495
SHA25693b9f783b5faed3ecfafbe20dfcf1bee3ce33f66909879cd39ae88c36acbdfac
SHA51260363b36587a3ace9ae1dbc21ffd39f903e5f51945eebdcf0316904eee316c9d711d7a014b28977d54eef25dec13f659aab06325f761d9f3ce9baca3cb12f248
-
Filesize
16KB
MD505206d577ce19c1ef8d9341b93cd5520
SHA11ee5c862592045912eb45f9d94376f47b5410d3d
SHA256e2bbdc7ba4236f9c4cb829d63137fdac3a308fd5da96acea35212beafe01b877
SHA5124648fa7ea0a35a148e9dac1f659601ebf48910ca699ed9ef8d46614c7cbe14fcf47fa30dc87af53b987934a2a56cd71fd0e58182ef36a97ed47bd84637b54855
-
Filesize
561B
MD57ae06a071e39d392c21f8395ef5a9261
SHA1007e618097c9a099c9f5c3129e5bbf1fc7deb930
SHA25600e152629bdbf25a866f98e6fc30626d2514527beef1b76ebb85b1f5f9c83718
SHA5125203c937597e51b97273040fe441392e0df7841f680fcca0d761ac6d47b72d02c8918614f030fbf23d8a58cb5625b702546e4c6f93e130cc5d3b41c154c42655
-
Filesize
10KB
MD5380d15f61b0e775054eefdce7279510d
SHA147285dc55dafd082edd1851eea8edc2f7a1d0157
SHA256bef491a61351ad58cda96b73dba70027fdbe4966917e33145ba5cfa8c83bc717
SHA512d4cbaad29d742d55926fea6b3fa1cf754c3e71736e763d9271dc983e08fce5251fa849d4ecdc1187c29f92e27adab22b8f99791e46302b5d9c2e90b832c28c28
-
Filesize
834B
MD5dcf805911bf86b2b6a91f60f084f9dd7
SHA1679dc1fe93e6bcb1d42caa89c24b947e7fab9555
SHA2564853b2a3e2959039409706479d578694217d97cb2741348c2d486bc8f2f59e11
SHA512d961342d55f3f5dcb2b51e88b9d6fa120947a9c767a1e36cf3b2b79e3b19e42944011470090a42096985fdc7c6ec9e7dbd663a4902657524d42f628615b7025d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e